BIS ER-01: India’s New Cybersecurity Rule for CCTV Cameras

Posted by

April 18, 2026

On March 14, 2026

India's new BIS ER-01 certification means every IP camera sold after April 1, 2026 must meet mandatory cybersecurity standards — here's what it means, who's certified, and what you should do today.

By Fgtech Store

Tech Tomorrow

for you, with you

March 15, 2026 • Issue #7 • 6 min read

📌

From our Desk

The camera you bought to protect your home might be the one compromising it.

On March 3, 2026, TP-Link announced that two of its VIGI cameras (C340 & C440) received a new certification called BIS ER-01 (Bureau of Indian Standards - Essential Requirement(s)).

A government certification, a fast-approaching deadline, and a market where 80% of cameras are made by companies now effectively locked out. The BIS ER-01 story is bigger than the TP-Link headline. Here's what's happening, what does this certification actually mean, and why should you care?

This issue is different from our usual hardware deep-dives, but the principle is the same: understanding what's inside the box before you buy.

— Shailendra Jain, Founder - FGTech

In this issue

What BIS ER-01 actually is (and what it replaced)
What a certified camera must pass: the cybersecurity checklist
Real-world hacking incidents that made this regulation necessary
The April 1 deadline, penalties, and who's certified so far
What this means if you're buying a camera in 2026

🔒 The Regulation

What is BIS ER-01? (And why it exists now)

Until recently, a CCTV camera only needed to pass a basic electrical safety test (IS 13252) to be sold in India. That test checked whether the camera was safe to plug in: protection against electric shock, insulation, and fire hazards. That's it.

Think of it like a restaurant that only needed a fire safety certificate to open. Nobody checked if the kitchen was clean, if the food was fresh, or if employees washed their hands. The building wouldn't burn down, but you might still get sick.

Before ER-01: only fire safety (electrical test). After ER-01: electrical safety plus cybersecurity grade certification

Before vs After ER-01: from electrical safety only to full cybersecurity certification

BIS ER-01 changes that. Issued by MeitY (Ministry of Electronics and IT) via a gazette notification in April 2024 and administered by BIS, it adds a mandatory cybersecurity layer on top of the existing electrical safety requirement. Now, every IP camera (any camera that connects to your network) sold in India must prove it's not just safe to plug in, but also safe to connect to your network.

There's one more thing worth knowing before we move on. Two government bodies are involved in camera certification: BIS and STQC, and they're not the same thing. One is your licence to sell to anyone. The other is a passport for government projects. Here's how they compare:

If you are intersted to know more about STQC, check our detailed explanation where we also cover full list of STQC certified CCTV camera models.

BIS ER-01 vs STQC IoTSCS: two certifications, different purposes

🔎 The Checklist

What does a camera need to pass?

Six key cybersecurity requirements every IP camera must now pass —

1. No default passwords – The "admin/admin" era is over. Cameras must force unique, strong passwords during the first setup. This alone would have prevented many of the incidents we'll cover below.

2. Encrypted video streams – All data must travel over TLS/HTTPS. No more sending unprotected video across your network where anyone can intercept it.

3. Secure boot & signed firmware – The camera verifies its own software integrity every time it starts up. Only cryptographically signed firmware can run, so nobody can inject malicious code.

4. Disabled test ports – Manufacturer debugging interfaces must be shut down before the camera leaves the factory. Open debug ports are one of the most common entry points for hackers.

5. Supply chain transparency – Manufacturers must declare the origin of chipsets, PCBs, and processors. Think of it like ingredient labelling on food; now the government checks where your camera's brain comes from.

6. Vulnerability disclosure policy – Brands must maintain a formal process for reporting and patching security flaws. This means ongoing accountability, not just a one-time test.

On top of all this, cameras are stress-tested against simulated cyberattacks, and manufacturing facilities are audited for quality control.

Six cybersecurity requirements every IP camera must pass under BIS ER-01

⚠️ Why This Matters

Your camera can be a weapon against you

Three real incidents that show why CCTV cybersecurity certification was overdue

Mirai Botnet (2016) – A malware scanned the internet for cameras with default passwords, hijacked over hundreds of thousands of cameras, routers, and IoT devices, and built one of the largest botnets ever seen. It nearly brought down major internet services globally. The entry point? Cameras still set to "admin/admin."

Insecam (2014–present) – A website displayed live feeds from over 73,000 cameras worldwide initially, now filtered down to ~2,000+ feeds, but still live today. It did all this not through any sophisticated hack, but simply because owners never changed the default password. Strangers could watch warehouses, gyms, and children's bedrooms.

India: The Navy & Railway incidents – In 2021, India's IT minister told Parliament that roughly 1 million government CCTV cameras were made by Chinese companies, with concerns about video data being transferred to foreign servers. The Indian Navy ordered the removal and destruction of all Hikvision cameras. Railways discovered suspected Chinese cameras with forged country-of-origin documents at stations.

An unprotected camera is like a security guard with no background check; you hope he's on your side, but you have no way to verify it. ER-01 is designed to change that: it forces manufacturers to prove their camera is accountable, patchable, and actually working for you.

📅 The Deadline

April 1, 2026: what changes

The government gave the industry time to prepare. New BIS licences without ER-01 compliance stopped being issued from April 9, 2025. Brands that didn't get certified could sell existing warehouse stock for a while, but that grace period is now over.

From April 1, 2026, selling a non-compliant camera in India carries fines of up to 10× the product's value and up to 2 years in prison. BIS is already raiding warehouses.

Existing cameras already installed in your home or office are unaffected. The rule targets new sales, not existing use. And analog cameras are exempt; this applies only to IP (network-connected) cameras.

What's coming next

The pipeline is building. HiFocus has announced plans to certify 50+ models. CP PLUS and PRAMA are actively expanding their certified ranges. TP-Link is expected to put more VIGI models through certification now that the process is underway — getting the first two approved is the hardest part, and the rest of a product line typically follows faster. Sparsh, already India's widest-certified range, continues to add models. The short version: the certified catalogue is going to look very different by the end of 2026 than it does today.

💡 The News Behind The News

TP-Link's timing tells the real story

TP-Link announced its certification on March 3, just 25 days before the April 1 hard deadline. Before ER-01, both their cameras were legally sold under the older electrical-safety-only BIS registration. Now they're one of the few international brands with a licence to import and sell new stock after April 2026.

What this means if you're buying a camera in 2026

Look for BIS ER-01 compliance. It's the closest thing to a guarantee that your camera meets basic cybersecurity hygiene.

If you already own cameras

They'll keep working. But be aware that firmware updates, patches, and support for non-compliant brands will gradually dry up. DVRs and NVRs are currently unregulated but expected to come under similar rules soon.

Take these 3 steps today:

3 steps: change default password, check firmware updates, disable remote access

3 steps to secure your camera today

✅ Verify It

Verify it yourself

5 steps to check if a camera is legitimately certified

5-step verification: works for any BIS-regulated electronics, not just cameras

This database is public and free. Bookmark it — it works for any BIS-regulated electronics, not just cameras.

If you're buying a new CCTV system and want to make sure you get everything right — from resolution and IP ratings to which brands are actually certified — read our complete guide to choose the right CCTV camera in India.

Before You Go...

Hit reply and tell us:

What brand of CCTV camera do you currently use?
Did you know about ER-01 before reading this?

Give us your honest feedback

This issue was a different topic from our usual hardware series: a deep dive into a regulation that directly affects camera buyers.

Was this useful? Should we cover more regulation explainers like this?

🔥 Loved it, do more like this 👍 Good, but prefer hardware topics 🤔 Not relevant to me

FGTech Store

Unit no 104, A Wing, Sagar Tech Plaza, Sakinaka, Andheri (E), Mumbai
Maharashtra, India - 400072

Curated by Geet Gera

Sign Up to our newsletter for latest updates?

Mon-Sat (10am-6pm)

All India

Before You Go...

Give us your honest feedback

Sign Up to our newsletter for latest updates?

Mon-Sat (10am-6pm)

All India

Tech Tomorrow

The camera you bought to protect your home might be the one compromising it.

In this issue

What is BIS ER-01? (And why it exists now)

What does a camera need to pass?

Your camera can be a weapon against you

April 1, 2026: what changes

What's coming next

TP-Link's timing tells the real story

What this means if you're buying a camera in 2026

If you already own cameras

Verify it yourself

Before You Go...

Give us your honest feedback

Leave a Reply Cancel reply